TSA security flaws exposed users to risk of identity theft

The chairman of the House Oversight and Government Reform Committee published a report Friday with details about the committee's investigation into security flaws found in the Transportation Security Administration's (TSA) traveler redress web site. TSA is a division of the Department of Homeland Security (DHS) and is responsible for baggage inspection and airport security. The site—which enables travelers to seek removal from airline watch lists by providing personal identification information—operated for four months before the vulnerabilities were detected.

The web site was hosted on a commercial domain by a contractor and did not use SSL encryption for submission forms that transmit sensitive identification information. The few pages of the site that did use SSL used an expired certificate that had been self-signed by the contractor. The lack of proper encryption was brought to the attention of TSA last year by security researcher Chris Soghoian, who noted that such "major incompetence" could have been avoided by basic oversight.

"At the request of Chairman Henry Waxman, Committee staff have been investigating how TSA could have launched a web site that violated basic operating standards of web security and failed to protect travelers' sensitive personal information," says the report summary. "These deficiencies exposed thousands of American travelers to potential identity theft."

According to the report, the TSA was completely unaware of the security issues while the site was in operation. During that time, thousands of travelers submitted personal information through the website and a TSA administrator claimed in congressional testimony that the agency had assured "the privacy of users and the security of the system."

The web site was created by Desyne Web Services, a web marketing firm from northern Virginia whose clientèle includes the FBI, USA Today, and George Foreman. TSA awarded Desyne a no-bid contract valued at $48,816 for development of the redress system. According to the report, the Request for Quote (RFQ) issued by TSA prior to making the deal stated that Desyne was "the only vendor that could meet the program requirements." The report notes that Nicholas Panuzio, the TSA employee and technical lead who authored the RFQ, had previously worked for Desyne and had known the owner of the web design company since high school—a serious conflict of interest.

Following the revelation of security vulnerabilities in the system, TSA transferred the site to a Department of Homeland (DHS) Security domain and notified users who submitted information through the unencrypted form that they had been exposed to risk of identity theft. The committee's report notes, however, that TSA never reprimanded Panuzio or imposed sanctions on Desyne. In fact, the report says that Desyne continues to operate several major TSA web sites and has received over $500,000 of no-bid contracts web services from TSA and DHS.

This isn't the first time that TSA has gotten itself into trouble for exposing sensitive identification information. Last year, the agency lost a hard drive with names, Social Security numbers, salary information, and bank routing numbers for 100,000 TSA employees, including air marshals. The DHS has also suffered serious security breaches in the past year.

As we have noted in the past, the TSA terror watch list has very little efficacy and may actually contribute to security problems. The creation of the TSA redress system was precipitated in the first place by a study conducted by the Government Accountability Office (GAO) which found that approximately half of the individuals on the watch lists were false positives. The GAO has also reported ongoing problems with people on the no-fly list accidentally being permitted to fly. Additionally, TSA reported last year that screeners missed approximately 75 percent of simulated explosives and bomb components that testers hid in their clothing and carry-on bags at Los Angeles International Airport during a review of airport security procedures.

In light of TSA's steady litany of serious failures, perhaps it's time for Congress to reconsider the agency's role in airport security.